b"               `\xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0         U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n                         OFFICE\n                         \xc2\xa0     \xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                         EPA\xe2\x80\x99s National Security\n                         Information Program\n                         Could Be Improved\n                         Report No. 12-P-0543                                     June 18, 2012\n\n\n\n\n                       REDACTED VERSION FOR PUBLIC RELEASE\n\n                     This is a redacted version of the full report, which means that information\n                        has been removed. The redaction is clearly identified in the report.\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                               Chris Baughman\n                                                   Hilda Canes Gardu\xc3\xb1o\n                                                   Eric Lewis\n\n\n\n\nAbbreviations\n\nCFR           Code of Federal Regulations\nEO            Executive Order\nEPA           U.S. Environmental Protection Agency\nISOO          Information Security Oversight Office\nNSI           National Security Information\nOARM          Office of Administration and Resources Management\nOCFO          Office of the Chief Financial Officer\nOIG           Office of Inspector General\nOPM           U.S. Office of Personnel Management\nSF            Standard Form\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                  12-P-0543\n                                                                                                             June 18, 2012\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              EPA\xe2\x80\x99s National Security Information Program\nThe Office of Inspector\n                                    Could Be Improved\nGeneral (OIG) is responsible\nfor independently reviewing          What We Found\nU.S. Environmental Protection\nAgency (EPA) programs               Under its classified NSI program, EPA has assigned responsibilities and provided\nrelated to national security.       guidance, training, and oversight. EPA program offices provide secure equipment\nWe evaluated EPA\xe2\x80\x99s classified       and space, following NSI program specifications. EPA has procedures in place so\nnational security information       employees can obtain security clearances and classify information. Annual\n(NSI) infrastructure. We            reports are prepared on the status of the program. Thus, EPA can create, receive,\nperformed this review as            handle, and store classified material needed to fulfill its responsibilities related to\nrequired by the Reducing            its homeland security, emergency response, and continuity missions.\nOver-Classification Act.\n                                    We found that EPA\xe2\x80\x99s NSI program needs improved internal controls to address\nBackground                          the following deficiencies:\n\nExecutive Order 13526,                  \xef\x82\xb7\t Although EPA keeps three copies of an employee\xe2\x80\x99s signed Classified\nClassified National Security               Information Nondisclosure Agreement, Standard Form 312, it does not\nInformation, prescribes a                  store a copy in the employee\xe2\x80\x99s Official Personnel Folder, as provided in\nuniform system for classifying,            guidance from the Office of Personnel Management (OPM). OPM\xe2\x80\x99s\nsafeguarding, and declassifying            regulation requires that personnel records be maintained in accordance\nnational security information.             with OPM guidance.\nAccording to the executive              \xef\x82\xb7\t Not all individuals with an EPA security clearance are completing the\norder and the related                      required annual refresher training.\nregulations, national security          \xef\x82\xb7\t EPA does not always promptly withdraw a clearance when an employee\ninformation can be classified as           leaves EPA, which may result in a person accessing classified NSI to\nTop Secret, Secret, or                     which he or she is no longer privileged.\nConfidential, depending on the          \xef\x82\xb7\t EPA regulation, policies, and basic guidance document for the NSI\ndamage that may be caused by               program do not reflect the current government-wide requirements, and\nits release. The Office of                 the basic guidance document is currently not an Agency-wide directive\nAdministration and Resources               even though it impacts the entire EPA.\nManagement manages EPA\xe2\x80\x99s\nNSI program.                        We did not assess the readiness of EPA\xe2\x80\x99s NSI program in the event of an actual\n                                    national security incident.\n\nFor further information, contact     Recommendation/Planned Agency Corrective Actions\nour Office of Congressional and\nPublic Affairs at (202) 566-2391.\n                                    We recommend that the Assistant Administrator for Administration and\nThe full report is at:              Resources Management issue a directive to establish controls that address the\nwww.epa.gov/oig/reports/2012/       deficiencies identified in this report. The Agency partially agreed with our\n20120618-12-P-0543.pdf              recommendation, and provided alternate corrective actions with completion dates\n                                    that we consider acceptable. We consider the recommendation resolved.\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                    WASHINGTON, D.C. 20460\n\n\n                                                                                THE INSPECTOR GENERAL\n\n\n\n\n                                          June 18, 2012\n\nMEMORANDUM\n\nSUBJECT:\t EPA\xe2\x80\x99s National Security Information Program Could Be Improved\n          Report No. 12-P-0543\n\n\nFROM:          Arthur A. Elkins, Jr.\n\nTO:            Craig E. Hooks\n               Assistant Administrator for Administration and Resources Management\n\n\nThis is our report on the subject evaluation conducted by the Office of Inspector General (OIG)\nof the U.S. Environmental Protection Agency (EPA). This report contains findings that describe\nthe problems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nAction Required\n\nAlthough this report contains a recommendation, you are not required to respond. Your response\nto the draft report and supplemental information identified corrective actions, including\nmilestone dates, acceptable to us. Therefore, we are closing this report upon issuance. The\ncorrective actions not yet completed must be monitored through EPA\xe2\x80\x99s Management Audit\nTracking System.\n\nShould you respond, your response will be posted on the OIG\xe2\x80\x99s public website, along with our\nmemorandum commenting on your response. Your response should be provided as an Adobe\nPDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation\nAct of 1973, as amended. The final response should not contain data that you do not want to be\nreleased to the public; if your response contains such data, you should identify the data for\nredaction or removal. We have no objections to the further release of this report to the public.\nWe will post this report to our website at http://www.epa.gov/oig.\n\nWe have redacted information on page 16 of this report to withhold the name of an individual.\n\nIf you or your staff have any questions regarding this report, please contact Eric Lewis, Director\nof Special Reviews, at (202) 566-2664 or lewis.eric@epa.gov.\n\x0cEPA\xe2\x80\x99s National Security Information Program                                                                              12-P-0543\nCould Be Improved\n\n\n                                  Table of Contents \n\n\nChapters\n   1    Introduction .......................................................................................................      1\n\n\n                Purpose ......................................................................................................    1     \n\n                Background ................................................................................................       1     \n\n                Scope and Methodology .............................................................................               3     \n\n\n   2    Internal Controls Need Improvement ..............................................................                         4\n\n\n                Nondisclosure Agreements Should Be in Official Personnel Folders .........                                        4\n\n                Annual Training Needs Better Monitoring ...................................................                       6\n\n                Clearances Should Be Promptly Withdrawn When Staff Leave .................                                        7\n\n                EPA\xe2\x80\x99s Guidance Is Not Current or in the Form of a Directive......................                                 8\n\n                Guidance Revision Delayed by Pending Regulation Update .....................                                      9\n\n                Conclusion ..................................................................................................    10     \n\n                Recommendation .......................................................................................           10     \n\n                Agency Response and OIG Evaluation ......................................................                        10 \n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                       12 \n\n\n\n\nAppendices\n   A    Agency Response to Draft Report and OIG Evaluation..................................                                     13 \n\n\n   B    E-mail From U.S. Office of Personnel Management........................................                                  18 \n\n\n   C    Distribution .........................................................................................................   19 \n\n\x0c                                  Chapter 1\n\n                                  Introduction\nPurpose\n            The Office of Inspector General (OIG) evaluated how effectively the U.S.\n            Environmental Protection Agency (EPA) manages its classified national security\n            information (NSI) program and distributes classified information to those who\n            need it. This report complies with the Reducing Over-Classification Act (Public\n            Law 111-258), which calls for Inspectors General (1) \xe2\x80\x9cto assess whether\n            applicable classification policies, procedures, rules, and regulations have been\n            adopted, followed, and effectively administered\xe2\x80\x9d and (2) \xe2\x80\x9c to identify policies,\n            procedures, rules, regulations, or management practices that may be contributing\n            to persistent misclassification of material.\xe2\x80\x9d The law requires that OIGs complete\n            at least two evaluations by September 30, 2016. The initial evaluation must be\n            completed no later than September 30, 2013. This report, along with the prior\n            EPA OIG report, EPA Should Prepare and Distribute Security Classification\n            Guides (Report No. 11-P-0722; September 29, 2011), constitute part of the initial\n            evaluation. The OIG may perform additional work before September 30, 2013, to\n            comply with the law.\n\nBackground\n            EPA has had a program to safeguard classified NSI since at least 1972. Such\n            programs must comply with the December 2009 Executive Order (EO) 13526,\n            Classified National Security Information, which prescribes a uniform system for\n            classifying, safeguarding, and declassifying NSI. According to this EO and the\n            implementing regulations, NSI can be classified as Top Secret, Secret, or\n            Confidential, depending on the damage that may be caused by its release. EPA\n            also has a sensitive compartmented information program that imposes access,\n            storage, and handling controls beyond those normally required for access to\n            information classified as Confidential, Secret, or Top Secret.\n\n            EPA creates, receives, handles, and stores classified material because of its\n            homeland security, emergency response, and continuity missions. The EPA\n            Administrator has had original classification authority since May 2002 and at the\n            time could delegate the authority. In December 2009, the Administrator\xe2\x80\x99s\n            delegation authority was withdrawn, so the Administrator is the only person at EPA\n            with original classification authority. Original classification means an initial\n            determination that information requires, in the interest of national security,\n            protection against unauthorized disclosure. During fiscal years 2004 through 2010,\n            EPA originally classified six documents. In early 2011, the Administrator classified\n            a seventh document. Although EPA has classified information, as discussed in EPA\n            OIG Report No. 11-P-0722, it has not issued any classification guides.\n\n\n12-P-0543                                                                                     1\n\x0c            Individuals may have access to classified information through EPA only if they\n            possess a valid and appropriate security clearance; have signed a Standard Form\n            (SF) 312, Classified Information Nondisclosure Agreement; and have a valid need\n            to know the information. EPA has procedures in place to provide employees with\n            a security clearance if their office decides the individual needs one. The Security\n            Management Division has an electronic information system to track the related\n            investigation and resulting clearance. EPA also has procedures to obtain a signed\n            SF 312 from the individual after their clearance is approved. In February 2011,\n            EPA had about 17,600 employees and 1,432 valid security clearances.\n\n            The Assistant Administrator for Administration and Resources Management has\n            been delegated overall authority for the NSI program. The Assistant\n            Administrator may, and has, delegated much of this authority to the Security\n            Management Division, Office of Administration, Office of Administration and\n            Resources Management (OARM). The Security Management Division created an\n            NSI program team to manage the program. In addition, all major EPA offices\n            assigned at least one employee as an NSI representative to coordinate the program\n            at their organization. Typically, this responsibility is assigned as an additional\n            duty. The NSI program team gives the NSI representatives supplemental training.\n\n            Each year OARM sends reports about EPA\xe2\x80\x99s NSI program to the Information\n            Security Oversight Office (ISOO), National Archives and Records\n            Administration. The ISOO is responsible for oversight of the government-wide\n            security classification system. EPA\xe2\x80\x99s annual reports are based, in part, on reports\n            provided by the NSI representatives.\n\n            EPA has procedures in place to approve secure areas for storing, processing,\n            handling, and discussing classified NSI. With one exception, all major EPA\n            offices have such secure areas. Except for two offices, they also have containers\n            (e.g., safes) to store classified material. The security level of the areas and\n            containers varies from Secret, to Top Secret, to Top Secret with sensitive\n            compartmented information. The Security Management Division inspects the\n            facilities on a 3-year cycle. Of the secure areas for five organizations that we\n            visited, two organizations (Regions 3 and 8) were not storing any classified\n            information. However, both were capable of protecting classified information, up\n            to and including Top Secret information. The other three organizations were\n            properly storing classified information.\n\n            With one exception, all major EPA offices have equipment for secure\n            communications. At a minimum, each office has at least one secure telephone.\n            The security level for the telephones varies from Secret, to Top Secret, to Top\n            Secret with sensitive compartmented information. Some offices also have secure\n            facsimile machines, cellular telephones, and satellite telephones. EPA also has\n            terminals for the secure information systems of other federal agencies.\n\n\n\n\n12-P-0543                                                                                         2\n\x0cScope and Methodology\n            We performed our review from December 2010 through February 2012. We\n            conducted our work in accordance with generally accepted government auditing\n            standards issued by the Comptroller General of the United States. Those standards\n            require that we plan and perform the review to obtain sufficient, appropriate\n            evidence to provide a reasonable basis for our findings and conclusions based on\n            our objectives. We believe the evidence obtained provides a reasonable basis for\n            our findings and conclusions based on our objectives. We assessed internal\n            controls over the NSI program.\n\n            To obtain an overall understanding of EPA\xe2\x80\x99s NSI program, we reviewed internal\n            guidance, documents, and reports, as well as guidance applicable throughout the\n            federal government. We also interviewed staff from OARM; the Office of\n            Homeland Security, within the Office of the Administrator; and the Office of\n            Solid Waste and Emergency Response, which works with the Office of Homeland\n            Security to provide EPA offices with secure communication equipment.\n\n            During our field work, we examined how the NSI program operates in five EPA\n            organizations:\n\n               \xef\x82\xb7   Office of Air and Radiation, Washington, DC\n               \xef\x82\xb7   Office of Research and Development\xe2\x80\x99s National Homeland Security\n                   Research Center, Cincinnati, Ohio\n               \xef\x82\xb7   Office of Water, Washington, DC\n               \xef\x82\xb7   Region 3, Philadelphia, Pennsylvania\n               \xef\x82\xb7   Region 8, Denver, Colorado\n\n            The process included interviewing the organizations\xe2\x80\x99 NSI representatives and\n            some of its staff with security clearances; reviewing related documentation;\n            inspecting some of the organizations\xe2\x80\x99 secure areas and safes; verifying the\n            clearances of those interviewed; and verifying the annual NSI training completed\n            by the organizations\xe2\x80\x99 cleared staff.\n\n            In addition to the activities of these five organizations, we verified the annual\n            training of cleared staff in the Office of the Chief Financial Officer, and\n            withdrawal of the security clearances for 20 cleared staff members who left EPA\n            during the first 6 months of 2011.\n\n            We did not assess the readiness of EPA\xe2\x80\x99s NSI program in the event of an actual\n            national security incident. We noted internal control deficiencies in chapter 2 of\n            this report and in the previously mentioned OIG report on classification guides\n            (Report No. 11-P-0722).\n\n\n\n\n12-P-0543                                                                                        3\n\x0c                                  Chapter 2\n\n             Internal Controls Need Improvement\n            EPA has established an infrastructure that can deliver a minimum level of\n            Secret NSI to major EPA offices, and at least 10 offices can handle higher-level\n            classified NSI. However, we found deficiencies in the following procedural\n            aspects of the NSI program:\n\n               \xef\x82\xb7\t EPA does not put each employee\xe2\x80\x99s signed SF 312 in his or her Official\n                  Personnel Folder. The SF 312 is the legally binding classified information\n                  nondisclosure agreement between the employee and the U.S. government.\n                  OPM guidance provides for it to be kept in the employee\xe2\x80\x99s Official\n                  Personnel Folder.\n\n               \xef\x82\xb7\t Annual refresher training is not being completed by everyone with an EPA\n                  security clearance. Better monitoring is needed to ensure all those with\n                  clearances complete the required training.\n\n               \xef\x82\xb7\t Clearances are not being promptly withdrawn when an employee leaves\n                  EPA. Consequently, former employees could potentially access classified\n                  NSI to which he or she is no longer privileged.\n\n               \xef\x82\xb7\t EPA\xe2\x80\x99s regulation, policies, and basic guidance document for the NSI\n                  program are out of date and do not reflect current government-wide\n                  requirements for NSI programs. Additionally, the basic guidance\n                  document does not comply with EPA requirements for directives.\n\n            As a result of these control deficiencies, EPA cannot assure that access to\n            classified material is restricted to those who have a clearance and are\n            appropriately trained.\n\nNondisclosure Agreements Should Be in Official Personnel Folders\n            EPA does not put an SF 312, Classified Information Nondisclosure Agreement,\n            signed by an EPA employee, in his or her Official Personnel Folder. The Official\n            Personnel Folder is part of the records of the U.S. Office of Personnel\n            Management (OPM). As stated in OPM\xe2\x80\x99s regulation, 5 CFR Part 93, Subpart C,\n            Section 293.303:\n\n                   Ownership of folder.\n                   The OPF of each employee in a position subject to civil service\n                   rules and regulations is under the jurisdiction and control of, and is\n                   part of the records of, the Office of Personnel Management (the\n                   Office).\n\n\n12-P-0543                                                                                      4\n\x0c            It must contain long-term records affecting the employee\xe2\x80\x99s status and service, as\n            required by OPM instructions and designated in the guidance. According to the\n            OPM guidance, the life of the Official Personnel Folder is usually 115 years from\n            the employee\xe2\x80\x99s date of birth.\n\n            Before being given access to classified information, an employee of the federal\n            government or one of its contractors, licensees, or grantees must sign an SF 312.\n            The SF 312 documents an employee\xe2\x80\x99s legally binding acceptance of obligations\n            in consideration of being granted access to classified information. According to\n            EPA\xe2\x80\x99s basic guidance document, the December 2006 National Security\n            Information Handbook (handbook), the NSI representative must obtain the\n            signature on the SF 312 after an individual completes the initial orientation\n            training. The handbook requires the NSI representative to mail the originally\n            signed SF 312 to the NSI program team. The Security Management Division\n            keeps three copies of a recently signed SF 312: an electronic version in its\n            electronic information system; a hard copy in the green security folder for the\n            employee; and a hard copy in the binder with all the other SF 312s. As required\n            by the implementing regulations, EPA plans to keep the SF 312s in the binder for\n            50 years from the date signed.\n\n            According to EPA management, it is EPA\xe2\x80\x99s practice to offer a copy of the SF 312\n            to those who sign one. Yet six individuals whom we interviewed informed us that\n            they did not have a copy of their SF 312. These six individuals were from three\n            organizations and had signed an SF 312. The signed SF 312 would be more\n            readily available to EPA employees if EPA placed it in their Official Personnel\n            Folder.\n\n            ISOO\xe2\x80\x99s regulation, as set forth in the Code of Federal Regulations (CFR), in\n            32 CFR Section 2001.80(d)(2)(vii), makes storing a copy of the SF 312 in the\n            Official Personnel Folder optional. The ISOO regulation, published in 2010,\n            states in part:\n\n                   [A]n agency may store the executed copy of the SF 312 and\n                   SF 189 in the United States Office of Personnel Management\xe2\x80\x99s\n                   Official Personnel Folder as a long-term (right side) document for\n                   that employee.\n\n            While ISOO is responsible for oversight of the government-wide security\n            classification system, it does not have responsibility for the Official Personnel\n            Folder. OPM regulation, as set forth in 5 CFR Part 293, Subpart C, requires\n            agencies to establish an Official Personnel Folder for each employee. The OPM\n            regulation, published in 2011, further states:\n\n                   The [Official Personnel Folder] shall contain long-term records\n                   affecting the employee\xe2\x80\x99s status and service as required by OPM\xe2\x80\x99s\n\n\n\n\n12-P-0543                                                                                       5\n\x0c                      instructions and as designated in the Guide to Personnel\n                      Recordkeeping.\n\n              That is, the OPM regulation requires that personnel records be maintained in\n              accordance with OPM guidance. OPM\xe2\x80\x99s guidance, The Guide to Personnel\n              Recordkeeping: Operating Manual, specifically identifies the SF 312 and its\n              predecessor, SF 189, in Section 3-G, Other Personnel Documents. The related\n              filing instructions are to \xe2\x80\x9cFile the Standard Form 312 and Standard Form 189 on\n              the right side\xe2\x80\x9d [of the Official Personnel Folder]. Thus, the SF 312 should be in\n              the employee\xe2\x80\x99s Official Personnel Folder. The Security Management Division\n              was unaware of the OPM guidance to store the SF 312 in the employee\xe2\x80\x99s Official\n              Personnel Folder.\n\nAnnual Training Needs Better Monitoring\n              EPA offers NSI program training on its Intranet that covers the initial security\n              orientation, being a courier of classified information, marking classified\n              documents, and accounting for Top Secret material. EPA also offers a termination\n              briefing when the clearance is terminated. In addition, those with a clearance must\n              take refresher training at least once a year. In 2010, the refresher training was\n              offered through a Lotus Notes application that recorded who had completed the\n              training.\n\n              Not all of those who hold an EPA clearance completed the annual refresher\n              training in 2010. The National Security Information Handbook requires that all\n              such individuals must participate, annually at a minimum, in refresher training\n              that reinforces policies and procedures of the NSI program. According to the\n              handbook, the NSI representative shall administer the annual refresher training.\n\n              The NSI representatives for the five organizations we reviewed had procedures in\n              place to monitor who completed the annual training. Despite these procedures, a\n              number of people from different organizations did not complete the training, as\n              shown in table 1 below.\n\n     Table 1: Cleared EPA staff who did not take mandatory annual refresher training\n                                              Number of cleared staff\n                                                         as of            Percent of cleared staff\n                   Organization                     February 2011             who did not take\n                                                          Did not take             training\n                                              Total       2010 training\n      Office of Research and Development        108             5                     4.6\n      Office of Water                            42             7                     16.7\n      Region 3                                   73            11                     15.1\n     Sources: Security Management Division staff (as of February 2011) and results of OIG inquiries.\n\n              In addition, we reviewed the training records for the Office of the Chief Financial\n              Officer (OCFO) because, at that time, it had no NSI representative. Of the 14\n              people associated with the OCFO who have security clearances, 5 (or 35 percent)\n\n\n12-P-0543                                                                                              6\n\x0c            did not complete the 2010 training. Four of the five said that they were not\n            informed about the training. Since the OCFO had no NSI representative then, the\n            NSI program team was responsible for monitoring its training. On September 15,\n            2010, the NSI program team leader sent the cleared staff in the OCFO an e-mail\n            informing them that the 2010 annual training was available and must be\n            completed by November 15, 2010. The e-mail included a hyperlink to the\n            training. In August 2011, after we brought the matter to its attention, the OCFO\n            designated an NSI representative to serve as its local advisor and point of contact\n            for NSI-related matters.\n\n            We believe that the annual refresher training increases the likelihood that those\n            with security clearances will properly protect classified information, and the\n            training is particularly important to remind those with little or no contact with\n            NSI. Once granted a clearance, individuals in some organizations were more\n            likely than individuals in other organizations to be exposed to classified NSI.\n            Cleared staff from three organizations (Office of Air and Radiation, National\n            Homeland Security Research Center, and Office of Water) generally had contact\n            with NSI. The cleared staff from the regional offices (Region 3 and Region 8) had\n            little or no contact with classified NSI.\n\nClearances Should Be Promptly Withdrawn When Staff Leave\n            EPA\xe2\x80\x99s list of those with security clearances should be promptly revised to reflect\n            clearances that are, or should be, withdrawn. For example, when an employee\n            with a clearance leaves EPA, the employee clearance should be administratively\n            withdrawn. If the clearance is not withdrawn, the employee\xe2\x80\x99s name incorrectly\n            remains on the list of those with clearances. As a consequence, the employee\n            could potentially access classified NSI, either at EPA or another agency, to which\n            he or she is no longer privileged. The NSI representatives consult the list before\n            granting access to classified information. Each month, EPA provides its clearance\n            list to OPM so it can be included in the Central Verification System. Based on\n            information in the Central Verification System, another agency might grant\n            someone unauthorized access to protected information.\n\n            EPA administratively withdraws a clearance when the Security Management\n            Division receives documentation that the person received a termination briefing.\n            The handbook requires the NSI representative to provide a termination briefing to\n            all cleared employees who leave EPA or whose security clearance is terminated or\n            withdrawn for other reasons. The termination briefing shall address:\n\n               \xef\x82\xb7   The obligation to return to the appropriate EPA official all classified\n                   information in the employee\xe2\x80\x99s possession\n               \xef\x82\xb7   The continuing responsibility not to disclose any classified information to\n                   which the employee had access\n               \xef\x82\xb7   The potential penalties for noncompliance\n\n\n\n12-P-0543                                                                                         7\n\x0c               After completing the termination briefing, the employee must sign the security\n               debriefing acknowledgement section of SF 312. The NSI representative will mail\n               the signed SF 312 to the NSI program team.\n\n               Not all those who leave EPA receive a termination briefing; consequently, they do\n               not sign the SF 312. Without the signed SF 312, the Security Management\n               Division may not know to withdraw the person\xe2\x80\x99s clearance. Of the 20 cleared\n               staff who left EPA during the first 6 months of 2011, 8 did not receive a\n               termination briefing. This was due, in part, to some organizations using a\n               separation checklist that did not require a termination briefing for those with a\n               clearance. Even when the termination briefing is on the separation checklist,\n               employees may not properly complete it. The Security Management Division\n               discovered through other means that these eight individuals had left EPA, so they\n               processed a SF 312 without the employee\xe2\x80\x99s signature. This process started an\n               average of 28 days after the employee left. The employees\xe2\x80\x99 clearances were\n               withdrawn an average of 60 days after they left, instead of when or before they\n               left. Of the 12 who received a termination briefing, the clearances for 5 were\n               withdrawn before they left EPA.\n\n               Before starting the annual refresher training, the NSI representatives are supposed\n               to check the clearance list for accuracy. The NSI representatives\xe2\x80\x99 review was not\n               always effective. When reviewing those in the five organizations who had not\n               completed the 2010 refresher training, we found that the February 2011 clearance\n               list included five people from four offices who had left EPA long ago, as shown\n               in table 2.\n\n    Table 2: Years former employees were kept on clearance list after leaving EPA\n      Employee         Clearance        Left EPA           Years on list after leaving\n           A             Secret       January 2007                       4.1\n           B             Secret         Unknown                   At least 2 years\n          C            Top Secret     January 2008                       3.1\n          D            Top Secret       July 2006                        4.6\n           E           Top Secret    February 2002                       9.0\n    Sources: EPA staff and OCFO Reporting and Business Intelligence Tool, or ORBIT.\n\n\nEPA\xe2\x80\x99s Guidance Is Not Current or in the Form of a Directive\n\n               EPA has issued a regulation and policies for its NSI program, including orders\n               and a manual. As previously mentioned, the basic guidance document is the\n               National Security Information Handbook, but it needs to be updated to\n               incorporate recent changes in the national guidance. It cites EO 12958, as\n               amended, Classified National Security Information, dated April 1995. However,\n               EO 12958 was superseded by the December 2009 EO 13526. In June 2010, the\n               ISOO revised the related regulation in 32 CFR Part 2001. OARM has been in the\n               process of revising the handbook since at least February 2010 and expects to\n               complete the changes by January 31, 2012.\n\n\n12-P-0543                                                                                        8\n\x0c            The handbook does not incorporate the requirements of 19 sections in the CFR.\n            Thirteen of the 19 differences between the regulation and the guidance were\n            related to the changes made in the regulation after the handbook was issued. In\n            general, the changes to the regulation increased the number of requirements. The\n            requirements addressed such things as how long information remains classified,\n            reviewing classification guides, and automatic declassification.\n\n            The remaining six differences between the regulation and the handbook pertained\n            to storing information (\xc2\xa72001.43), transmitting bulky items (\xc2\xa72001.46), having a\n            memorandum of agreement (\xc2\xa72001.49), using information standards (\xc2\xa72001.51),\n            using standard forms (\xc2\xa72001.80), and defining terms (\xc2\xa72004.5).\n\n            The handbook is currently not in the form of an Agency-wide directive, even\n            though it impacts the entire EPA. In chapter 1, paragraph 4.j., the EPA 1315 -\n            Directives Manual defines directives as \xe2\x80\x9c. . . written procedures and policy which\n            are printed as either manuals, orders or notices.\xe2\x80\x9d It defines a manual as \xe2\x80\x9cA rather\n            lengthy directive or combination of closely related directives which usually\n            consists of several chapters used to prescribe or establish policies and operating\n            procedures in functional areas.\xe2\x80\x9d The handbook has 11 chapters and 13\n            appendices. Thus, as a handbook instead of a manual, order, or notice, it does not\n            comply with EPA requirements for the form of an Agency-wide directive. EPA\n            had a manual that covered national security information, Facilities Support and\n            Services Manual, Security Volume 4850, but it is under revision and not available.\n\n            EPA lists the Directives Manual on the EPA Intranet homepage for manuals, but\n            there is no link to it as there is for other manuals. Thus, it is no longer available to\n            EPA staff. The current version of the Directives Manual is dated August 1987.\n            Portions of the Directives Manual are out of date, including the citation to the\n            regulations for its legal authority. However, OARM staff confirmed that the\n            Directives Manual has not been rescinded and still applies.\n\nGuidance Revision Delayed by Pending Regulation Update\n            Before revising the handbook, OARM plans to update the related regulation in\n            40 CFR Part 11. EPA issued this regulation in November 1972 based on the\n            March 1972 EO 11652, Classification and Declassification of National Security\n            Information and Material, and a national security directive dated May 1972. At\n            that time, EPA did not have original classification authority. Three executive\n            orders on national security information (EO 12065 dated June 1978, EO 12356\n            dated April 1982, and EO 12958 dated April 1995) were issued between the 1972\n            EO 11652 and the 2009 EO 13526. The 1972 EPA regulation would not reflect\n            the changed requirements in these EOs, including those in the current EO. Despite\n            the EPA Administrator having had original classification for almost 10 years,\n            since May 2002, the regulation has yet to be updated.\n\n\n\n\n12-P-0543                                                                                          9\n\x0cConclusion\n\n            EPA\xe2\x80\x99s NSI program needs improved internal controls to address the following\n            deficiencies:\n\n               \xef\x82\xb7\t A signed SF 312, documenting an employee\xe2\x80\x99s acceptance of the\n                   obligations contained in the Classified Information Nondisclosure\n                   Agreement is not being put in employees\xe2\x80\x99 Official Personnel Folder, as\n                   provided for in OPM guidance.\n               \xef\x82\xb7 Annual refresher training is not being completed by all those with an EPA\n                   clearance, as required by the handbook.\n               \xef\x82\xb7 Clearances are not being promptly withdrawn when an employee leaves\n                   EPA, as required by the handbook.\n            EPA also needs to update its regulation, policies, and basic guidance document\n            for the NSI program to reflect (1) current government-wide requirements and (2)\n            the proper EPA form for a directive.\n\nRecommendation\n            We recommend that the Assistant Administrator for Administration and\n            Resources Management:\n\n              1.\t Issue a directive to establish controls that address the following\n                  deficiencies identified in this report:\n\n                       \xef\x82\xb7   Put the signed SF 312 in the employee\xe2\x80\x99s Official Personnel Folder\n                       \xef\x82\xb7   Ensure that those with an EPA security clearance complete the\n                           annual refresher training\n                       \xef\x82\xb7   Promptly withdraw a clearance when a cleared employee leaves\n                           EPA\n\nAgency Response and OIG Evaluation\n            The Director of the Office of Administration, within OARM, responded to our\n            draft report on behalf of OARM. OARM concurred with the draft report\xe2\x80\x99s\n            findings and recommendation regarding annual refresher training, withdrawal of a\n            clearance when a cleared employee leaves EPA, the need to update policy\n            documents to reflect current federal requirements, and the need to comply with\n            EPA requirements for directives. However, the Agency did not agree with the\n            finding of a deficiency related to storing the signed SF 312 in an employee\xe2\x80\x99s\n            Official Personnel Folder. While OARM did not concur with the draft report\xe2\x80\x99s\n            finding in this matter, the Personnel Security Branch has begun mailing a copy of\n            the signed SF 312 for new clearance cases to the appropriate EPA human\n            resources service center for inclusion in the employee\xe2\x80\x99s Official Personnel Folder.\n\n\n\n\n12-P-0543                                                                                   10\n\x0c            To support its position that it does not need to keep SF 312s in employees\xe2\x80\x99\n            Official Personnel Folder, OARM offered an e-mail dated February 24, 2012,\n            from a Human Capital Officer at OPM. Per 5 CFR Part 293, Subpart C, the\n            Official Personnel Folder \xe2\x80\x9cof each employee in a position subject to civil service\n            rules and regulations is under the jurisdiction and control of\xe2\x80\x9d OPM. The OPM\n            officer cited OPM and ISOO regulations and made contradictory statements\n            regarding the storage of the SF 312. In one statement, the OPM officer affirmed\n            that \xe2\x80\x9cOPM\xe2\x80\x99s Guide to Personnel Recordkeeping, page 3-19, also specifies the\n            SF 312 is filed on the right side of the OPF [Official Personnel Folder].\xe2\x80\x9d This\n            statement is immediately followed by \xe2\x80\x9cIf an agency chooses to file the SF 312 in\n            the OPF [Official Personnel Folder], it must be filed on the right side.\xe2\x80\x9d\n\n            The OIG disagrees with the characterization of the filing of the SF 312 as\n            optional. As noted earlier in this report, OPM regulation, as set forth in 5 CFR\n            Part 293, Subpart C, states that the Official Personnel Folder \xe2\x80\x9cshall contain long-\n            term records\xe2\x80\xa6 as required by OPM\xe2\x80\x99s instructions and as designated in the Guide\n            to Personnel Recordkeeping.\xe2\x80\x9d The use of the word \xe2\x80\x9cshall\xe2\x80\x9d signals a command to\n            include long-term records in the Official Personnel Folder. The status of the\n            SF 312 as a long-term record is established in the Guide to Personnel\n            Recordkeeping. First, the guide\xe2\x80\x99s filing procedures call for long-term records to\n            be filed \xe2\x80\x9con the right side of the personnel folder.\xe2\x80\x9d Second, the guide\xe2\x80\x99s personnel\n            folder filing instructions state, \xe2\x80\x9cFile the Standard Form 312... on the right side.\xe2\x80\x9d\n            By instructing that the SF 312 be filed on the right side of the Official Personnel\n            Folder, OPM\xe2\x80\x99s Guide to Personnel Recordkeeping establishes the SF 312 as a\n            long-term record and, hence, a document that must be included in the personnel\n            folder. When OPM\xe2\x80\x99s regulation is read together with the personnel folder filing\n            instructions found in OPM\xe2\x80\x99s Guide to Personnel Recordkeeping, we believe that\n            the SF 312 must be in the employee\xe2\x80\x99s Official Personnel Folder.\n\n            EPA has begun to provide for newly signed SF 312s to be included in employees\xe2\x80\x99\n            Official Personnel Folders. Following issuance of the draft report, OARM\n            informed us that it will document this new practice\xe2\x80\x94of mailing a copy of a\n            signed SF 312 for a newly cleared employee to the appropriate human resources\n            service center for inclusion in the employee\xe2\x80\x99s Official Personnel Folder\xe2\x80\x94in a\n            Standard Operating Procedure. OARM issued a Standard Operating Procedure for\n            \xe2\x80\x9cObtaining, Retaining, and Forwarding SF 312s\xe2\x80\x9d on April 9, 2012. This alternate\n            corrective action meets the intent of our recommendation. Therefore, we consider\n            the recommendation resolved. Where appropriate, we have incorporated the\n            Agency\xe2\x80\x99s comments into the body of the report. The Agency\xe2\x80\x99s complete written\n            response to the draft report, and our evaluation of the response, are in appendix A.\n            The e-mail from OPM is in appendix B.\n\n\n\n\n12-P-0543                                                                                     11\n\x0c                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                                                                                                 POTENTIAL MONETARY\n                                                     RECOMMENDATIONS                                                              BENEFITS (in $000s)\n\n                                                                                                                     Planned\n    Rec.    Page                                                                                                    Completion   Claimed    Agreed-To\n    No.      No.                           Subject                          Status1        Action Official             Date      Amount      Amount\n\n     1       10     Issue a directive to establish controls that address      O       Assistant Administrator for    12/31/12\n                    the following deficiencies identified in this report:                Administration and\n                      \xef\x82\xb7\t Put the signed SF 312 in the employee\xe2\x80\x99s \n                     Resources Management\n                         Official Personnel Folder \n\n                      \xef\x82\xb7\t Ensure that those with an EPA security \n\n                         clearance complete the annual refresher \n\n                         training\n\n                      \xef\x82\xb7\t Promptly withdraw a clearance when a \n\n                         cleared employee leaves EPA\n\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n12-P-0543                                                                                                                                          12\n\x0c                                                                                    Appendix A\n\n               Agency Response to Draft Report and \n\n                         OIG Evaluation\n\n\n                                          March 2, 2012\n\nMEMORANDUM\n\nSUBJECT:\t Response to Draft Report OPE-FY10-0024\n\nFROM:\t         Renee Page, Director\n               Office of Administration\n\nTO:\t           Elizabeth A. Grossman, Acting Assistant Inspector General for Program\n               Evaluation\n               Office of Inspector General\n\nOn behalf of the Office of Administration and Resources Management, thank you for the\nopportunity to respond to the Office of Inspector General\xe2\x80\x99s draft report of February 3, 2012:\nEPA\xe2\x80\x99s National Security Information Program Could Be Improved. The Office of\nAdministration and Resources Management concurs with the draft report\xe2\x80\x99s findings and\nrecommendation regarding annual refresher training, withdrawal of a clearance when a cleared\nemployee leaves EPA, the need to update policy documents to reflect current federal\nrequirements and the need to comply with EPA requirements for directives. We do not concur\nwith the finding of a deficiency related to storing Standard Form 312 in the Official Personnel\nFolder. Our planned completion date, description of corrective actions already initiated or\nplanned and comments are below.\n\nDraft Report\xe2\x80\x99s Recommendation\nIssue a directive to establish controls that address the following deficiencies identified in this\nreport:\n    \xef\x82\xb7 Put the signed Standard Form 312 in the employee\xe2\x80\x99s Official Personnel Folder\n    \xef\x82\xb7 Ensure that those with an EPA security clearance complete the annual refresher training\n    \xef\x82\xb7 Promptly withdraw a clearance when a cleared employee leaves EPA\n\nPlanned Completion Date\nBy April 30, 2012, the Security Management Division will submit an updated version of the\nNational Security Information Handbook to the Office of Human Resources Program\nManagement and Communications Office for the EPA directives clearance review process. The\nupdated version will establish controls addressing annual refresher training and prompt\nwithdrawal of a clearance when an employee leaves EPA. The document will reflect current\ngovernment-wide requirements for NSI programs and comply with all requirements for EPA\ndirectives.\n\n\n12-P-0543                                                                                         13\n\x0cCorrective Actions Already Initiated or Planned\n   \xef\x82\xb7 The NSI program has taken the first step in the review process by discussing the\n       proposed directive with the Program Management and Communications Office.\n   \xef\x82\xb7 To ensure timely compliance with the requirement to complete annual refresher training,\n       the Security Management Division will administratively withdraw the clearance of\n       employees who do not comply. This information will be included in the updated\n       Handbook; related outreach and education will be developed.\n   \xef\x82\xb7 The NSI program is modifying EPA Order 4850 to require clearance holders to notify the\n       NSI program when they are leaving the agency so they can undergo mandatory\n       debriefing. The Order will be submitted for the EPA directives clearance review process.\n       The requirement will be included in the updated Handbook; related outreach and\n       education will be developed.\n   \xef\x82\xb7 The Personnel Security Branch is now submitting a weekly list of employees whose\n       clearance status has changed to the Office of Personnel Management for inclusion in the\n       Central Verification System.\n\nOIG Response: By May 1, 2012, OARM\xe2\x80\x99s Security Management Division had disseminated\nEPA Order 4850 and the National Security Information Manual 4850 for comment through the\nAgency\xe2\x80\x99s directives clearance process. The Security Management Division Director later\ninformed us that EPA anticipates issuing both the Order 4850 and the Manual 4850 by\nDecember 31, 2012. Taken together with the actions listed above, the proposed corrective actions\nand milestones meet the intent of the recommendation.\nComments Regarding Standard Form 312\nOARM disagrees with the draft report\xe2\x80\x99s finding that the SF 312 is \xe2\x80\x9crequired by government-wide\nguidance to be kept in the employee\xe2\x80\x99s Official Personnel Folder.\xe2\x80\x9d This is not a requirement, but\nrather an option. Per the Information Security Oversight Office regulation set forth in 32 CFR\nSection 2001.80(d)(2)(vii):\n\n       For agreements executed by civilian employees of the United States Government, an\n       agency may store the executed copy of the SF 312 and SF 189 in the United States Office\n       of Personnel Management\xe2\x80\x99s Official Personnel Folder as a long-term (right side)\n       document for that employee.\n\nOIG Response: As noted earlier in this report, ISOO is responsible for oversight of the\ngovernment-wide security classification system. However, ISOO does not have responsibility for\nthe Official Personnel Folder. As stated in OPM\xe2\x80\x99s regulation, 5 CFR Part 93, Subpart C, Section\n293.303:\n\n       Ownership of folder.\n       The OPF of each employee in a position subject to civil service rules and\n       regulations is under the jurisdiction and control of, and is part of the records of,\n       the Office of Personnel Management (the Office).\n\nISOO\xe2\x80\x99s regulation does not preclude the SF 312 from being stored in the Official Personnel\nFolder; they simply indicate that the storage is optional. In light of OPM having jurisdiction over\n\n\n\n12-P-0543                                                                                        14\n\x0cemployees\xe2\x80\x99 Official Personnel Folders, OPM\xe2\x80\x99s regulation supersedes ISOO\xe2\x80\x99s regulation with\nrespect to the maintenance and content of the Official Personnel Folder.\n\nPer OPM regulations, as set forth in 5 CFR Part 293.304:\n\n       The head of each agency shall maintain in the Official Personnel Folder the reports of\n       selection and other personnel actions named in section 2951 of title 5, United States\n       Code. The folder shall contain long-term records affecting the employee's status and\n       service as required by OPM's instructions and as designated in the Guide to Personnel\n       Recordkeeping.\n\nThe SF 312 is not a report of selection or other personnel action named in section 2951 of title 5,\nUSC and does not affect the employee\xe2\x80\x99s status and service. The Guide to Personnel\nRecordkeeping does not say that the SF 312 must be included in the Official Personnel Folder,\nbut only, \xe2\x80\x9cFile the Standard Form 312 and Standard Form 189 on the right side.\xe2\x80\x9d\n\nOIG Response: As the Agency itself notes in response to the draft report, OPM\xe2\x80\x99s regulation, as\nset forth in 5 CFR Part 293.304, states (emphasis added):\n\n       The head of each agency shall maintain in the Official Personnel Folder the\n       reports of selection and other personnel actions named in section 2951 of title 5,\n       United States Code. The folder shall contain long-term records affecting the\n       employee\xe2\x80\x99s status and service as required by OPM\xe2\x80\x99s instructions and as\n       designated in the Guide to Personnel Recordkeeping.\n\nThe word \xe2\x80\x9cshall\xe2\x80\x9d clearly imports compulsion and obligation.\n\nThe status of the SF 312 as a long-term record is established in OPM\xe2\x80\x99s Guide to Personnel\nRecordkeeping, which states, in Chapter 3:\n\n       Long-term documents\n       Long-term documents are records kept for the life of the folder\xe2\x80\xa6 filed in chronological\n       order on the right side of the personnel folder.\n\nOPM\xe2\x80\x99s Guide to Personnel Recordkeeping states, in Section 3-G:\n\n       Personnel Folder Filing Instructions\n       File the Standard Form 312 and Standard Form 189 on the right side.\n\nThe imperative verb tense, \xe2\x80\x9cfile,\xe2\x80\x9d expresses a direct command. By instructing that the SF 312 be\nfiled on the right side of the Official Personnel Folder, OPM\xe2\x80\x99s Guide to Personnel\nRecordkeeping establishes the SF 312 as a long-term record and, hence, a document that must be\nincluded in the personnel folder. When OPM\xe2\x80\x99s regulation is read together with the personnel\nfolder filing instructions found in OPM\xe2\x80\x99s Guide to Personnel Recordkeeping, we believe that the\nSF 312 must be in the employee\xe2\x80\x99s Official Personnel Folder.\n\n\n\n\n12-P-0543                                                                                        15\n\x0cOffice of Personnel Management Human Capital Officer XXXXXXXXX confirmed to EPA that\nthere is no requirement to store the SF 312 in the Official Personnel Folder (see attached\nFebruary 24, 2012, email):\n\nAs authorized in 5 CFR 293.304, OPM provides instructions in the Guide to Personnel\nRecordkeeping regarding the long-term records kept in the OPF 32 CFR 2001.80(d)(2)(vii)\nrequires an agency to retain executed copies of the SF 312 in a file system, which could include\nthe OPF 32 CFR specifies that if the OPF is used to file the SF 312, it would be filed as a long-\nterm (right side) document. OPM\xe2\x80\x99s Guide to Personnel Recordkeeping, page 3-19, also specifies\nthe SF 312 is filed on the right side of the OPF. If an agency chooses to file the SF 312 in the\nOPF, it must be filed on the right side.\n\nOIG Response: We are not aware of the details surrounding the communications between EPA\nand the OPM human capital officer on this issue. However, until OPM officially changes the\nCFR, these comments are unsupported. OPM\xe2\x80\x99s regulation, as set forth in 5 CFR Part 293.304,\nstates (emphasis added):\n       The head of each agency shall maintain in the Official Personnel Folder the\n       reports of selection and other personnel actions named in section 2951 of title 5,\n       United States Code. The folder shall contain long-term records affecting the\n       employee\xe2\x80\x99s status and service as required by OPM\xe2\x80\x99s instructions and as\n       designated in the Guide to Personnel Recordkeeping.\nISOO\xe2\x80\x99s regulation does not preclude the SF 312 from being stored in the Official Personnel\nfolder; they simply indicate that the storage is optional. Since it is OPM, and not ISOO, that has\njurisdiction over employees\xe2\x80\x99 Official Personnel Folders, OPM\xe2\x80\x99s regulation supersedes ISOO\xe2\x80\x99s\nregulation with respect to the maintenance and content of the Official Personnel Folder.\n\nOARM\xe2\x80\x99s position is also supported by the National Archives and Records Administration\nGeneral Records Schedule 18, item 25, \xe2\x80\x9cClassified Information Nondisclosure Agreements,\xe2\x80\x9d\nwhich says that the SF 312 may be filed on the right side of the Official Personnel Folder. It does\nnot say the SF 312 must be filed in the Official Personnel Folder.\n\nOIG Response: OPM, not the National Archives and Records Administration, has jurisdiction\nand ownership over employees\xe2\x80\x99 Official Personnel Folders. OPM\xe2\x80\x99s regulation dictates the\nmaintenance and content of the Official Personnel Folder.\n\nWhile OARM does not concur with the draft report\xe2\x80\x99s finding in this matter, the Personnel\nSecurity Branch has begun mailing a copy of the signed SF 312 for new clearance cases to the\nappropriate Shared Services Center for inclusion in the employee\xe2\x80\x99s Official Personnel Folder,\nmaking it easier for employees to access the form.\n\nOIG Response: Since issuance of the draft report, OARM informed us that it intends to\ndocument this new practice\xe2\x80\x94of mailing a copy of a signed SF 312 for a newly cleared employee\nto the appropriate human resources service center for inclusion in the employee\xe2\x80\x99s Official\nPersonnel Folder\xe2\x80\x94in a Standard Operating Procedure. OARM issued a Standard Operating\nProcedure for \xe2\x80\x9cObtaining, Retaining, and Forwarding SF 312s\xe2\x80\x9d on April 9, 2012. We accept this\ncorrective action as an alternative to a requirement in the new directive.\n\n\n12-P-0543                                                                                        16\n\x0cComments Regarding Description of NSI Program Functions\nThe opening sentence in \xe2\x80\x9cAt a Glance\xe2\x80\x9d states: \xe2\x80\x9cUnder its classified NSI program, EPA has\nassigned responsibilities and provided guidance, training, facilities, equipment, and information\nsystems to monitor some of its activities.\xe2\x80\x9d However, the NSI program does not provide\nequipment (e.g., secure telephones) or information systems. Programs and regions provide their\nown, following NSI program specifications. They also provide their own secure space, again\nfollowing NSI program specifications, unless construction costs are over a certain threshold. We\nsuggest that the first sentence in \xe2\x80\x9cAt a Glance\xe2\x80\x9d be changed to, \xe2\x80\x9cUnder its classified NSI program,\nEPA has assigned responsibilities and provided guidance, training and oversight.\xe2\x80\x9d\n\nOIG Response: We agree to this revision of the opening sentence in the \xe2\x80\x9cAt a Glance.\xe2\x80\x9d\n\nAgain, we appreciate this opportunity to respond to the draft report.\n\n\n\n\n12-P-0543                                                                                      17\n\x0c                                                                                    Appendix B\n\n         E-mail From U.S. Office of Personnel Management\n\nThe following e-mail was submitted by an OPM Human Capital Officer to EPA on February 24,\n2012.\n\n\nSubject: Guidance on Filing SF 312\n\nOPM has responsibility for developing regulations, practices, and procedures for the\nestablishment, maintenance, and transfer of the Official Personnel File (OPF), per 5 CFR\n293.303. As authorized in 5 CFR 293.304, OPM provides instructions in the Guide to Personnel\nRecordkeeping regarding the long-term records kept in the OPF. 32 CFR 2001.80(d)(2)(vii)\nrequires an agency to retain executed copies of the SF 312 in a file system, which could include\nthe OPF. 32 CFR specifies that if the OPF is used to file the SF 312, it would be filed as a long-\nterm (right side) document. OPM\xe2\x80\x99s Guide to Personnel Recordkeeping, page 3-19, also specifies\nthe SF 312 is filed on the right side of the OPF. If an agency chooses to file the SF 312 in the\nOPF, it must be filed on the right side. According to 32 CFR 2001.80(d)(2)(vii), an agency must\ninform ISOO of the file system it uses to store the SF 312.\n\nLinks to references:\n\n- 5 CFR 293, Subpart C \xe2\x80\x93 Official Personnel Folder : http://ecfr.gpoaccess.gov/cgi/t/text/text\xc2\xad\nidx?c=ecfr&sid=c88c958dac1f7e27a7228d104cb931f0&rgn=div6&view=text&node=5:1.0.1.2.2\n7.3&idno=5\n\n- 32 CFR 2001.80(d)(2)(vii): http://ecfr.gpoaccess.gov/cgi/t/text/text\xc2\xad\nidx?c=ecfr&sid=8293bfcddf7b469beb41cd052512e412&rgn=div5&view=text&node=32:6.2.6.1\n9.2&idno=32#32:6.2.6.19.2.8.29.1\n\n- Guide to Personnel Recordkeeping: http://www.opm.gov/feddata/recguide2008.pdf\n\n\n\n\n12-P-0543                                                                                      18\n\x0c                                                                               Appendix C\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Administration and Resources Management\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nDirector, Office of Administration, Office of Administration and Resources Management\nAudit Follow-Up Coordinator, Office of Administration and Resources Management\n\n\n\n\n12-P-0543                                                                               19\n\x0c"